X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fdxa.c;h=0f64b5e61948bab8d10282a22b79f0c599845e73;hb=9b9f64fe315ca7a7a8b9517ab5c082ecb8b698be;hp=1d96f10ef4729a781ef09cfb0bdf7eb45950b379;hpb=a67387913eb0c19f2dac4f1e085e5429d2074d6f;p=ffmpeg

diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c
index 1d96f10ef47..0f64b5e6194 100644
--- a/libavcodec/dxa.c
+++ b/libavcodec/dxa.c
@@ -42,6 +42,7 @@ typedef struct DxaDecContext {
     AVFrame *prev;
 
     int dsize;
+#define DECOMP_BUF_PADDING 16
     uint8_t *decomp_buf;
     uint32_t pal[256];
 } DxaDecContext;
@@ -50,13 +51,17 @@ static const int shift1[6] = { 0, 8, 8, 8, 4, 4 };
 static const int shift2[6] = { 0, 0, 8, 4, 0, 4 };
 
 static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst,
-                     int stride, uint8_t *src, uint8_t *ref)
+                     int stride, uint8_t *src, int srcsize, uint8_t *ref)
 {
     uint8_t *code, *data, *mv, *msk, *tmp, *tmp2;
+    uint8_t *src_end = src + srcsize;
     int i, j, k;
     int type, x, y, d, d2;
     uint32_t mask;
 
+    if (12ULL  + ((avctx->width * avctx->height) >> 4) + AV_RB32(src + 0) + AV_RB32(src + 4) > srcsize)
+        return AVERROR_INVALIDDATA;
+
     code = src  + 12;
     data = code + ((avctx->width * avctx->height) >> 4);
     mv   = data + AV_RB32(src + 0);
@@ -64,6 +69,8 @@ static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst,
 
     for(j = 0; j < avctx->height; j += 4){
         for(i = 0; i < avctx->width; i += 4){
+            if (data > src_end || mv > src_end || msk > src_end)
+                return AVERROR_INVALIDDATA;
             tmp  = dst + i;
             tmp2 = ref + i;
             type = *code++;
@@ -245,6 +252,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
             av_log(avctx, AV_LOG_ERROR, "Uncompress failed!\n");
             return AVERROR_UNKNOWN;
         }
+        memset(c->decomp_buf + dsize, 0, DECOMP_BUF_PADDING);
     }
 
     if (avctx->debug & FF_DEBUG_PICT_INFO)
@@ -300,7 +308,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
             av_log(avctx, AV_LOG_ERROR, "Missing reference frame\n");
             return AVERROR_INVALIDDATA;
         }
-        decode_13(avctx, c, frame->data[0], frame->linesize[0], srcptr, c->prev->data[0]);
+        decode_13(avctx, c, frame->data[0], frame->linesize[0], srcptr, dsize, c->prev->data[0]);
         break;
     default:
         av_log(avctx, AV_LOG_ERROR, "Unknown/unsupported compression type %d\n", compr);
@@ -328,7 +336,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     avctx->pix_fmt = AV_PIX_FMT_PAL8;
 
     c->dsize = avctx->width * avctx->height * 2;
-    c->decomp_buf = av_malloc(c->dsize);
+    c->decomp_buf = av_malloc(c->dsize + DECOMP_BUF_PADDING);
     if (!c->decomp_buf) {
         av_frame_free(&c->prev);
         av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");